The infection chain starts with the compromised website being injected with the EITest script, located within some tags:

The URL for the EITest SWF is found within the injected script. Below is the GET request for the SWF file:

The EITest SWF redirects the host to the EITest gate where you can see the URL for the Rig EK landing page within the tag:

The response for the landing page (shown above) is being compressed so I’ll extract the file:

As always, a large portion of it is being encoded. The decoded portion is shown below:

Following the host being redirected to the Rig EK landing page we can see two GET requests for the same exact Flash exploit and the payload:

The payload is 156 KB in size. Here are some files created in %APPDATA%:

Looking through the PCAP I can see some additional GET requests directly to an IP for more data:

Following the GET for the data in /module/ I found post-infection
HTTPS/TLS/SSL Traffic to 91.235.129.178 which was resolving to zmluvsfe.com. Looking at the certificate information shows “commonName=vulnuzhz.com”: